Managing Communication Of Sensitive Information

ABSTRACT

Disclosed herein is a computer-implemented method of managing sensitive information and the communication thereof. The method comprising: receiving, by a first server from a second server, first sensitive information relating to a user having an account with the second server; receiving, by the first server from a user device, second sensitive information via a data entry page hosted by the first server, wherein the data entry page is configured to receive second sensitive data associated with the user and the second sensitive information is different to the first sensitive information; and associating, by the first server, the first sensitive information with the second sensitive information. The first server and the second server communicate via a first communication channel and the first server and the user device communicate via a second, different communication channel.

BACKGROUND Field

The present application relates to managing communications of anetworked system and, more specifically, to a server computer and amethod for managing the transfer of sensitive information betweenmultiple entities within such a system.

Description of the Related Technology

As technologies advance, the number of cashless transactions beingcarried out is ever increasing, which results in an increasing amount ofdata associated with such transactions being transferred across paymentnetworks, often including several different entities. Typicaltransaction systems, that are part of such payment networks, allow auser to make a payment using a payment card or a computing device byobtaining information from the card or device and communicating detailsof the transaction and the obtained information to an entity within thesystem, such as a payment service provider, for further processing.

Certain transaction systems comprise a third party, with which the userhas an account and to which communications regarding the transaction areexchanged in order to update a status of the user's account based on thedetails of the transaction.

It would be advantageous to improve a transaction system that exchangesa plurality of communications relating to a transaction. In addition, itwould be advantageous to increase the security of the communicationssent to third parties within a transaction system.

SUMMARY

According to a first aspect of the present disclosure there is provideda computer implemented method. The method comprising: receiving, by afirst server from a second server, first sensitive information relatingto a user having an account with the second server; receiving, by thefirst server from a user device, second sensitive information via a dataentry page hosted by the first server, wherein the data entry page isconfigured to receive second sensitive data associated with the user andthe second sensitive information is different to the first sensitiveinformation; and associating, by the first server, the first sensitiveinformation with the second sensitive information. The first server andthe second server communicate via a first communication channel and thefirst server and the user device communicate via a second, differentcommunication channel.

According to a second aspect of the present disclosure there is provideda server computer comprising: a processor; and a computer readablemedium configured to store executable instructions, wherein the servercomputer is configured to communicate with a user device and a secondserver computer, and the processor is configured to execute the storedexecutable instructions to: receive, from the second server computer viaa first communication channel, first sensitive information relating to auser having an account with the second server; receive, from the userdevice, second sensitive data associated with the user, wherein thesecond sensitive information is different to the first sensitiveinformation; receive, from the user device via a second, differentcommunication channel, second sensitive information via the data entrypage; and associate the first sensitive information with the secondsensitive information.

According to a third aspect of the present disclosure there is provideda system comprising a client computer, a first server and a secondserver, wherein the first server is configured to: interact with thesecond server and the client computer via respective data transferchannels; receive, from the second server via the respective datatransfer channel, first sensitive information relating to a user havingan account with the second server and associated with the clientcomputer; provide a data entry page accessible by the client computer;receive, from the client computer via the respective data transferchannel, second sensitive information associated with the user via thedata entry page, wherein the second sensitive information is differentto the first sensitive information; and link the first sensitiveinformation with the second sensitive information; wherein the clientcomputer is configured to: access the data entry page to allow the userto input the second sensitive information into the data entry page; andprovide the second sensitive information to the first server via therespective data transfer channel; wherein the second server isconfigured to: identify the account of the user; retrieve the firstsensitive information relating to the user using the identified account;and send the first sensitive information to the first server via therespective data transfer channel.

BRIEF DESCRIPTION OF THE DRAWINGS

Various features of the present disclosure will be apparent from thedetailed description which follows, taken in conjunction with theaccompanying drawings, which together illustrate, features of thepresent disclosure, and wherein:

FIG. 1 is a schematic diagram of a transaction system, according to anexample.

FIG. 2 is a schematic diagram of a first server computer, according toan example.

FIG. 3 is a schematic diagram of the transaction system of FIG. 1 ,according to an example.

FIG. 4 is a schematic diagram of the transaction system of FIG. 1 ,according to an example.

FIG. 5 is a schematic diagram of a user device, according to an example.

FIG. 6 is a schematic diagram of a transaction system, according to anexample.

FIG. 7 is a schematic representation of a database stored by a firstserver computer, according to an example.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

FIG. 1 shows a transaction system 100 to which embodiments describedherein have particular applications.

The transaction system 100 comprises a first server computer 110, asecond server computer 120 and a user device 130. The first servercomputer 110 and the second server computer 120 communicate via a firstcommunication channel 210. The first server computer 110 and the userdevice 130 communicate via a second communication channel 220. In oneexample, the first server computer 110 and the second server computer120 may receive, process, and maintain information relating to a user ofthe user device 130 and any transactions carried out using the same. Thefirst and second communication channels 210, 220 may be communicationchannels across a network, such as the Internet or a private network.

The user device 130 may be a client computer associated with a user, aportable electronic device, such as a smartphone, a smartwatch, awearable device, or a tablet computer. The user device 130 may execute asoftware application, such as an electronic mobile wallet applicationstoring payment data relating to the user that enables the user to carryout transactions using the device.

FIG. 2 shows the first server computer 110 to which embodimentsdescribed herein have particular applications. The first server computer110 comprises a communication interface 111, a memory 112, and aprocessor 130. The communication interface 111 receives and transmitscommunications via the first and second communication channels 210 and220 (FIG. 1 ) to thereby interact with the second server computer 120and the user device 130. The communication interface 111 is coupled tothe memory 112 and the processor 113 and forwards any receivedcommunications to the processor 113 via an internal bus (not shown). Thememory 112 is coupled to the processor 113 and stores computer readableinstructions 114 that are executable by the processor 113 to cause thefirst server computer 110 to perform one or more processes. As anexample, the processor 113 may execute computer-readable instructions ofone or more software applications.

Linking Data

In one example, a user associated with the user device 130 may have anaccount with the second server computer 120. For example, the secondserver computer 130 may provide a service to the user and maintain arecord for the user, where the record contains sensitive informationrelating to the user. In one example, the sensitive information may be auser's name, address, date of birth, account identifier, and historicaltransaction data. In addition, a user associated with the user device130 may have one or more other accounts with the first server computer110. For instance, the first server computer 110 may host services thatare accessible by the user device 130 and maintain a record per servicefor the user, where the record contains sensitive information relatingto the user. In one example, the sensitive information may be paymentinformation comprising payment card details (such as, a primary accountnumber (PAN), a card identifier, digits from a card number and a cardsecurity code), payment account details of the user (such as, a bankname and an account number), and historical payment data for the user.

In one example, the system 100 may perform a data linking process forthe user using the first and second communication channels 210, 220,described in more detail in relation to FIG. 3 below. As a result ofsuch a data linking process, an association may be defined betweendifferent sensitive information of the user, originating from differentsources, which can be utilized by other processes, described in moredetail in relation to FIG. 6 .

FIG. 3 shows the system 100 of FIG. 1 and a flow of communicationsexchanged between the component parts of the system 100 as part of adata linking process, according to an example.

At step S301, the first server computer 110 receives a first message M1containing first sensitive information from the second server computer120. The first sensitive information relates to a user who has anaccount with the second server computer 120.

At step S302, the first server computer 110 receives a second message M2containing second sensitive information from the user device 130. Thesecond sensitive information is received via a data entry page hosted bythe first server computer 110 and is communicated to the first servercomputer 110. The data entry page is configured to receive secondsensitive data associated with the user. The second sensitiveinformation is different to the first sensitive information. In oneexample, after receiving the second sensitive information, the firstserver computer 110 may validate the second sensitive information beforethe second sensitive information is associated with the first sensitiveinformation.

In some examples, step S301 is be triggered by the user device 130accessing a webpage hosted by the second server computer 120, forexample, accessing a user account as a result of a user interacting withthe user device 130 and navigating to their account using a web browseron the device 130. In some instances, step S130 may be triggered withoutuser involvement, for example, by the user device 130 connecting to anetwork associated with the second server computer 120, for example, aWi-Fi network.

After 302, the first server computer 110 associates the first sensitiveinformation with the second sensitive information within a database(FIG. 7 ) that the first server computer 110 maintains. For example, theassociation of the first and second sensitive information may be thestoring of the first and second information in with the same useridentifier, the storing of both the first and second information withina single record maintained by the first server computer 110 andassociated with the user, and the storing of the first and secondsensitive information in separate records that include a pointer to oneanother. In each example, any future access request specifying a commonuser identifier, or identifying one of the first and second sensitiveinformation, such as a read request, to the or each record could resultin retrieval, or at least identification, of both the first and thesecond sensitive information.

In one example, after receiving the second sensitive information, thefirst server computer 110 may validate the second sensitive informationbefore the second sensitive information is associated with the firstsensitive information.

In one example, the process described in relation to FIG. 3 may berepeated in order to link further sensitive information with the firstsensitive information in a many-to-one relationship.

The use of the different communication channels for sending respectivesensitive information enables the different sensitive information to besecurely received at a single location, first server computer 110, fromdifferent sources: in this example the second server computer 120 andthe user device 130. In particular because (i) the first sensitiveinformation is communicated directly to the first server computer 110from the second server computer 120 and is not shared with the userdevice 130 and (ii) the second sensitive information is communicateddirectly to the first server computer 110 from the user device 130 andis not shared with the second server computer 120. Consequently, thenumber of separate communications containing sensitive information isreduced compared to a system that does not have two different and directcommunication channels between a source of information and a target forthe information. This increases the security and the efficiency of thesystem 100.

In addition, the amount of sensitive information per communication isreduced, which increases security because if any one communication isintercepted by an unauthorized third party only a single piece ofsensitive information will be compromised.

Moreover, the association between the first and second sensitiveinformation and the direct communication between the first and secondserver computer 110, 120 increases the efficiency of a process carriedout by the second server computer 120 using the first sensitiveinformation because the process is automatically initiated by anotherprocess carried out by the first server computer 110 using the secondsensitive information, and vice versa. In addition, the associationmeans there is no need to provide the first or second sensitiveinformation to the first server computer 110 in order to initiate anysubsequent processes using the respective information because the firstserver already stores the association and the first and second sensitiveinformation.

Furthermore, the direct communication 210 between the second servercomputer 120 and the first server computer 110 has the effect that theuser device 130 is not involved in generating the first sensitiveinformation or providing the first sensitive information to the firstserver computer 110. In this way, the user device is not involved withthe first sensitive information which: (i) eliminates the risk oferroneous input of the information at the user device 130 (so increasesthe reliability of information); and (ii) avoids storing the firstsensitive information on the user device 130, for example a browseroperating on the user device 130 may store such sensitive informationwithin a browser history or web log, which are considered to beunsecure. In addition, the number of communications containing the firstsensitive information is reduced, thus reducing the risk of interceptionof the first sensitive information.

FIG. 4 shows the system 100 of FIG. 1 and a flow of communicationsbetween the components parts of the system 100, according to an example.FIG. 4 provides further detail to the example of FIG. 3 .

As for step S301, at step S401 the first server computer 110 receives afirst message M11 comprising first sensitive information from the secondserver computer 120, where the first sensitive information relates to auser having an account with the second server computer 120. In oneexample, the second server computer 120 maintains a database comprisinginformation relating to a plurality of users. Each of the users may havean account, such as an online account, with the second server computer120, whereby the user has previously provided particular information tothe second server computer 120 and is provided with a service, where theprovided information is stored within a record of the databasecorresponding to their account. The second server computer 120 may storeinformation relating to each user in corresponding record(s) of thedatabase to facilitate access to an account of a user to obtain firstsensitive information. In one example, the second server computer 120may search its database using an identifier associated with a user inorder to locate corresponding account information. The user device 130may provide the identifier to the second server computer 120. In someexamples, the message M11 also contains a re-direct URL, generated bythe second server computer 120, and to be forwarded to the user deviceat a later point in time (step S406).

At step S402, the first server computer 110 generates and transmits asecond message M12 comprising a session identifier to the second servercomputer 120. In some examples, the second message M12 may be embeddedwithin a first token. The first token may be used as a replacement orsubstitute for the session identifier.

At step S403, the second server computer 120 generates a third messageM13 that forwards the session identifier and a URL for a data entry pageassociated with the session identifier to the user device 130. The URLis generated by the second server computer 120 and is specific to theuser of the user device 130 to allow the second server computer 120 toidentify which user is the subject of any communication sent to the URL.The second server computer 120 may use the first token to provide thesession identifier to the user device 130. For example, the sessionidentifier may be embedded within or appended to the first token. TheURL and the session identifier enable the user device to access thecorresponding data entry page hosted by the first server computer 110and to provide second sensitive information to the first server computer110 via the data entry page.

At step S404, in response to receiving a request using the URL and thesession identifier from the user device 130, the first server computer110 may serve e.g. a web data entry page to a browser on the user device130, included in a fourth message M14. In some examples, the data entrypage is opened as an iFrame within the browser. In some examples, thefirst server computer 110 transmits a second token with the data entrypage, where the first and second tokens are different. The second tokenmay be used to submit data into the data entry page.

The use of first and second tokens provides another way of verifying theintegrity of received data and thus enables an intercepted communicationto be more easily identified if the token has been modified. In oneexample, the first and second tokens may be JSON web tokens (JWT) thatare one-time use tokens and locked to a particular resource, which, inthe example of FIG. 4 , is the session identifier for the first tokenand is the submitted data for the second token. The JWT may be presentin the header of a HTTPS request between the respective entities of thesystem 100 and used to verify the source of the data or message that theJWT accompanies. In one example the JWT is generated using an asymmetricalgorithm, such as the RSA256 algorithm.

At step S405, the first server computer 110 receives a fifth message M15that comprises the second token comprising the session identifier andthe second sensitive information from the user device 130 via the dataentry page. The session identifier provides a way for the user device130 to identify to the first server computer 110 that the secondsensitive information is sent by the user device 130. The first servercomputer 110 validates the second sensitive information, by, in someexamples, forwarding the second sensitive information to an accountvalidating entity.

After the second information is validated the first server computer 110associates the second sensitive information with the first sensitiveinformation.

At step S406, the first server computer 110 provides the re-direct URLto the user device 130 in a seventh message M17. The re-direct URLcauses the browser of the user device 130 to automatically access awebpage associated with the second server computer 120 and identified bythe re-direct URL.

In one example, the process described in relation to FIG. 4 may berepeated with other server computers in direct communication with thefirst server computer 110 so that the first server computer 110 linksother sensitive information received from the respective other serverswith the second sensitive information. As such, the second sensitiveinformation may be linked with information provided by multiple sourcesand thus be in a many-to-one relationship. Consequently, an accessrequest for the second sensitive information submitted to a database ofthe first server computer 110 could return some or all sensitiveinformation previously associated with the second sensitive informationby the first server computer 110.

FIG. 5 shows the user device 130. The user device 130 may be running aweb browser 132 that accesses a webpage hosted by the second servercomputer 120 to initiate a data linking process at step S401 of FIG. 4 .The web browser 132 may also access a data entry page 134 hosted by thefirst server computer 110 at step S404 of FIG. 4 . The web browser 132accesses the data entry page 134 by providing a session identifier tothe first server computer 110, where the session identifier was receivedfrom the first server computer 110 via the second server computer 120 atstep S403 of FIG. 4 . The web browser 132 may subsequently access a webpage associated with the re-direct URL provided to the user device 130at step S406 of FIG. 4 .

Use Cases-Linked Data

In some examples, the linked or associated sensitive informationmaintained by the first server computer 110 may be an associationbetween different sources, such as an electronic wallet applicationexecuting on a user device and a loyalty scheme account of a loyaltyscheme provider, and used to process transactions involving the userdevice.

FIG. 6 shows the system 100 of FIG. 1 and a flow of communicationstransferred between the component parts of the system 100 as part of aprocess of using linked data, according to an example.

In this example system 100 is communicatively coupled to a merchantpoint-of-sale (POS) device 150. The POS device 150 is associated with amerchant that provides goods and/or services, or access thereto, to auser based on a transaction.

To initiate such a transaction, at step S601, the user device 130, suchas a mobile phone executing an electronic wallet application, providessensitive information to the POS device 150. In one example, thesensitive information comprises payment card details or details of apayment account. At step S602, the POS device 150 communicates thesensitive information and corresponding transaction data to the firstserver computer 110. In one example, the corresponding transaction datacomprises a transaction amount. In one example, the POS device 150 is incommunication with another computing entity that processes the paymentand/or transaction data before forwarding it on to the first servercomputer 110.

The first server computer 110 maintains a database 700 (FIG. 7 )containing sensitive information for a plurality of users that each havean account with the first server computer 110.

In the example of FIG. 7 , the database 700 has five columns: Record ID;Surname; Loyalty card ID, Payment card ID; and Account number, andmaintains a plurality of records 730, each corresponding to a respectiveuser. The loyalty card ID column contains the first sensitiveinformation 710 previously provided to the first server computer 110 bythe second server computer 120 as part of a data linking process(described in relation to FIGS. 1-5 ). The Payment card ID and theAccount number columns contain the second sensitive information 720previously provided to the first server computer 110 by the user device130 as part of the data linking process (described in relation to FIGS.1-5 ).

Based on the sensitive information received at step S601, such aspayment card details or details of a payment account, the first servercomputer 110 identifies a record of the plurality of records in thedatabase 700 associated with the user device 130. In this example, thesensitive information comprises a payment card identifier “3003”.Accordingly, the identifier “3003” is used as the basis for a searchwithin the database 700. A search based on “3003” would identify therecord with record ID “3” in the database 700. The first server computer110 proceeds to retrieve other sensitive information, such as theloyalty card ID number “67832”, that was previously associated with thereceived sensitive information “3003” in a data linking process from theidentified record “3”, where at least some of the other sensitiveinformation was previously provided by the second server computer 120 inaccordance with steps 301 and 401 described above.

Returning to FIG. 6 , at step S603, the first server computer 110communicates the transaction data and at least some of the sensitiveinformation, including at least the loyalty card ID “67832” within theidentified record “3” to the second server computer 120 with which theuser of the user device 130 has an account. The second server computer120 identifies the user's account using the loyalty card ID “67832” andupdates the user's account based on the transaction data.

In some examples, after step S603, the second server computer 120 sendsa communication to the user device 130 notifying the user that theiraccount with the second server computer 120 has been updated based onthe transaction.

In other examples, the first server computer 110 may be queried, forexample by the second server computer 120, to retrieve details of theassociation between an account maintained by the second server computer120 and one or more maintained by the first server computer 110.

Implementation Examples

The system 100 described in relation to FIGS. 1-7 may have particularapplication in a transaction system where the first server computer 110is a payment processing server and the second server computer 120 is aloyalty scheme server. The payment processing server 110 may comprise atransaction service provider and/or an issuer server, or be incommunication therewith, to process transaction and payment data toenable a transaction between a user and a merchant to be authorized andcompleted. The loyalty scheme server 120 maintains loyalty accounts fora plurality of users and updates the status of each account based on andin response to transactions that the respective users carry out atmerchant locations, for example, at a merchant's POS device, which maybe in a store or implemented as software on the merchant's website. Assuch, the loyalty scheme server 120 and the payment processing server130 have a shared interest in user transactions.

As described above, different sensitive information relating to a userand received from different sources may be linked or associated with oneanother. In the aforementioned transaction system example, the paymentprocessing server 110 receives sensitive information relating to a userfrom the loyalty scheme server 120 (for example, a loyalty schemeidentifier) and the user device 130 (for example, payment card details)and defines an association between the two and thus, a user's loyaltyaccount, for which a user may have a physical or an electronic loyaltyaccount card, and a user's payment account, for which the user may havea physical or an electronic payment card. Accordingly, the associationbetween the user's loyalty account and the user's payment account wouldbe understood to be an association between the user's loyalty accountcard and the user's payment account card. In one example, a user maylink multiple payment cards to a single loyalty account card byrepeating the methods described in relation to FIGS. 3 and 4 . In such ascenario, in the example of FIG. 7 the database would contain a single“Loyalty card ID” column and multiple “Payment card ID” columns, such as“1^(st) Payment card ID”, “2nd Payment card ID”, etc.

As described in relation to FIGS. 6 and 7 , based on an associationbetween different sensitive information relating to a single user,transaction data may be monitored and passed directly from the paymentprocessing server 110 to the loyalty scheme server 120 so that a useraccount maintained by the loyalty scheme server 120 can be updated,without requiring user intervention or further communications with theuser device 130, when the payment processing server 110 is processing atransaction. For instance, the user is not required to separatelyinteract with the merchant's POS device 150 using their loyalty accountcard and their payment account card. Rather, a single interactionbetween the POS device 150 and the user's payment account cardfacilitates the updating of the user's loyalty account, which simplifiesthe transaction system 100 and interactions thereof, as described above.

The transaction data may be sent to the loyalty scheme provider 120 withthe sensitive information (for example, the loyalty account identifieror a corresponding loyalty card number) previously received by theloyalty scheme server 120 to enable the loyalty scheme provider 120 toidentify the relevant user account. The transaction data may include oneor more of the following: a unique payment account or card identifier;an authentication code; a transaction identifier; a transaction amount;a transaction currency; a transaction date and time; a merchantdescriptor name; and a merchant identifier.

The loyalty scheme server 120 analyses the transaction data to determineany updates to be made to a corresponding user account. This analysismay comprise comparing the transaction data to data relating to themerchant, either stored by the loyalty scheme server 120, or provided bythe merchant's POS device 150, to determine the eligibility of thetransaction data for being the basis on which an update to a user'sloyalty account is made.

In one example, the loyalty scheme provider may update a user account byincrementing a counter value based on received transaction data. Forinstance, a number of points may be awarded to a user's loyalty accountbased on a monetary value of a transaction.

Fewer communications are used within the transaction system 100 andthus, less sensitive information is communicated within the system,which means the loyalty scheme server 120, and the transaction system100 as a whole, operates in a much more efficient and secure way. Inaddition, in some examples the loyalty scheme server 120 may not complywith the Payment Card Industry Data Security Standard (PCI DSS), andthus may be referred to as being outside “PCI scope”. Accordingly, thetransaction system 100 enables the loyalty scheme server 120 to receivedetails on transactions from the payment processing server 110 withoutneeding to become PCI compliant.

In the preceding description, for purposes of explanation, numerousspecific details of certain examples are set forth. Reference in thespecification to “an example” or similar language means that aparticular feature, structure, or characteristic described in connectionwith the example is included in at least that one example, but notnecessarily in other examples.

Although at least some aspects of the embodiments described herein withreference to the drawings comprise computer processes performed inprocessing systems or processors, the invention also extends to computerprograms, particularly computer programs on or in a carrier, adapted forputting the invention into practice. The program may be in the form ofnon-transitory source code, object code, a code intermediate source andobject code such as in partially compiled form, or in any othernon-transitory form suitable for use in the implementation of processesaccording to the invention. The carrier may be any entity or devicecapable of carrying the program. For example, the carrier may comprise astorage medium, such as a solid-state drive (SSD) or othersemiconductor-based RAM; a ROM, for example a CD ROM or a semiconductorROM; a magnetic recording medium, for example a floppy disk or harddisk; optical memory devices in general; etc.

The above examples are to be understood as illustrative. It is to beunderstood that any feature described in relation to any one example maybe used alone, or in combination with other features described, and mayalso be used in combination with one or more features of any other ofthe examples, or any combination of any other of the examples.Furthermore, equivalents and modifications not described above may alsobe employed.

What is claimed is:
 1. A computer-implemented method comprising:receiving, by a first server from a second server, first sensitiveinformation relating to a user having an account with the second server;receiving, by the first server from a user device, second sensitiveinformation via a data entry page hosted by the first server, whereinthe data entry page is configured to receive second sensitive dataassociated with the user and the second sensitive information isdifferent to the first sensitive information; and associating, by thefirst server, the first sensitive information with the second sensitiveinformation; wherein the first server and the second server communicatevia a first communication channel and the first server and the userdevice communicate via a second, different communication channel.
 2. Thecomputer-implemented method of claim 1, further comprising, in responseto receiving the first sensitive information: transmitting, by the firstserver to the second server, a session identifier, wherein the secondserver forwards the session identifier to the user device so that theuser device can access the data entry page.
 3. The computer-implementedmethod of claim 1, further comprising, in response to receiving thefirst sensitive data: transmitting, by the first server to the secondserver, a first token with the session identifier.
 4. Thecomputer-implemented method of claim 3, further comprising: providing,by the first server to the user device, a second token and the dataentry page, wherein the second token is used to provide the secondsensitive information to the first server.
 5. The computer-implementedmethod of claim 4, wherein the first and second tokens are differenttokens.
 6. The computer-implemented method of claim 1, furthercomprising: receiving, by the first server from the second server, are-direct URL; and providing, by the first server to the user device,the re-direct URL, such that a browser of the user device automaticallyaccesses a resource associated with the second server using there-direct URL after the second sensitive information has been inputtedto the data entry page.
 7. The computer-implemented method of claim 1,further comprising: accessing, by the second server, the account of theuser; and obtaining the first sensitive information.
 8. Thecomputer-implemented method of claim 1, further comprising: receiving,by the second server, an identifier of the user, wherein the identifieris associated with the account of the user.
 9. A computer readablemedium comprising instructions executable by a processor to cause theprocessor to perform the computer-implemented method of claim
 1. 10. Aserver computer comprising: a processor; and a computer readable mediumconfigured to store executable instructions, wherein the server computeris configured to communicate with a user device and a second servercomputer, and the processor is configured to execute the storedexecutable instructions to: receive, from the second server computer viaa first communication channel, first sensitive information relating to auser having an account with the second server; receive, from the userdevice, second sensitive data associated with the user, wherein thesecond sensitive information is different to the first sensitiveinformation; receive, from the user device via a second, differentcommunication channel, second sensitive information via the data entrypage; and associate the first sensitive information with the secondsensitive information.
 11. The server computer of claim 10, configuredto: host a data entry page accessible by the user device and configuredto receive the second sensitive data.
 12. The server computer of claim11, wherein the processor is configured to execute the stored executableinstructions to: transmit, to the second server computer via the firstcommunication channel, a session identifier, wherein the second servercomputer forwards the session identifier to the user device so that theuser device can access the data entry page.
 13. The server computer ofclaim 10, wherein the processor is configured to execute the storedexecutable instructions to: transmit, to the second server computer viathe first communication channel, a first token with the sessionidentifier.
 14. The server computer of claim 13, wherein the processoris configured to execute the stored executable instructions to: provide,to the user device via the second communication channel, a second tokenand the data entry page, wherein the second token is used to provide thesecond sensitive information to the server computer.
 15. The servercomputer of claim 14, wherein the first and second tokens are differenttokens.
 16. The server computer of claim 12, wherein the processor isconfigured to execute the stored executable instructions to: receive,from the second server computer via the first communication channel, are-direct URL; and provide, to the user device via the secondcommunication channel, the re-direct URL, such that a browser of theuser device automatically accesses a resource associated with the secondserver computer using the re-direct URL after the second sensitiveinformation has been inputted to the data entry page.
 17. A systemcomprising a client computer, a first server and a second server,wherein the first server is configured to: interact with the secondserver and the client computer via respective data transfer channels;receive, from the second server via the respective data transferchannel, first sensitive information relating to a user having anaccount with the second server and associated with the client computer;provide a data entry page accessible by the client computer; receive,from the client computer via the respective data transfer channel,second sensitive information associated with the user via the data entrypage, wherein the second sensitive information is different to the firstsensitive information; and link the first sensitive information with thesecond sensitive information; wherein the client computer is configuredto: access the data entry page to allow the user to input the secondsensitive information into the data entry page; and provide the secondsensitive information to the first server via the respective datatransfer channel; wherein the second server is configured to: identifythe account of the user; retrieve the first sensitive informationrelating to the user using the identified account; and send the firstsensitive information to the first server via the respective datatransfer channel.
 18. The system of claim 17, wherein: the first serveris configured to: send a session identifier to the second server via therespective data transfer channel; and the second server is configuredto: forward the session identifier to the client computer; and theclient computer is configured to: access the data entry page using thesession identifier.
 19. The system of claim 18, wherein: the firstserver is configured to, in response to receiving the first sensitivedata: send a first token with the session identifier to the secondserver via the respective data transfer channel.
 20. The system of claim19, wherein: the first server is configured to: provide a second tokento the client computer; and the client computer is configured to: usethe second token to provide the second sensitive information to thefirst server.